Microsoft Exec Backs EU-U.S. 'Privacy Shield' for Data Transfers

A new European Union-United States Privacy Shield agreement, announced by the European Commission on July 12, has the support of Microsoft's top government executive in the EU.

The Privacy Shield agreement is the replacement for the Safe Harbor agreement that previously had served as the legal basis for protecting data transferred between the European Union countries and the United States. The European Court of Justice had scrapped that Safe Harbor framework in October, perhaps because of the massive bulk spying details disclosed by the document leaks of former U.S. National Security Agency contractor and whistleblower Edward Snowden.

John Frank, Microsoft's vice president for EU government affairs, expressed his personal opinion in a blog post that the emerging EU-U.S. Privacy Shield would address the privacy concerns of EU member countries and individuals:

Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements. The Privacy Shield secures Europeans' right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for data retention and onward transfer of data.

Specifically, the Privacy Shield permits individuals and organizations in EU member countries to sue in U.S. courts when privacy laws may have been violated. Their ability to sue was enabled when President Obama signed the Judicial Redress Act in February. Previously, U.S. organizations and individuals could sue in European courts, but not vice versa, which the European Commission saw as a stumbling block toward reform, according to its February draft of the Privacy Shield.

That February draft also called for the following guarantees:

"Strong obligations on companies and robust enforcement"

"Clear safeguards and transparency obligations on U.S. government access"

"Effective protection," with complaint resolution within 45 days

"Annual joint review mechanism"

The European Commission clarified the first point in an earlier announcement by explaining that "U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed," and that the U.S. Department of Commerce "will monitor that companies publish their commitments."

As for U.S. transparency, the Commission indicated it was given assurances by the U.S. government that "any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data."

The annual review specified in the agreement will be conducted by the European Commission and the U.S. Department of Commerce, along with "national intelligence experts from the U.S. and European Data Protection Authorities," according to the draft. This review will result in a report, which will get issued to the "European Parliament and the Council."

In late June, the Electronic Privacy Information Center (EPIC) issued a critique of the Privacy Shield's revised draft, indicating that it had failed to "resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor." EPIC and other nongovernmental organizations had earlier stated in a letter to EU authorities (PDF) that establishment of the Privacy Shield should be contingent on having the United States "formally commit to substantial reforms to respect human rights and international law," which was lacking in the Privacy Shield draft. They also called for "a narrowed definition of 'foreign intelligence information' to limit the scope of data collection."

It's not clear if those concerns were addressed in the Privacy Shield's final draft.

Microsoft, for its part, has a lot at stake in getting these international legal protections in place. EU markets likely won't use its cloud services without U.S. government assurances on data privacy and data sovereignty protections. Microsoft recently described that stake. It has invested $15 billion in building out its datacenter infrastructure worldwide, and it has invested with Facebook in building out its own trans-Atlantic undersea cable infrastructure.

It's not really clear how data can be protected via legal agreements between governments. Undersea communications hubs typically get tapped secretly by governments, according to revelations from Snowden-leaked documents.

Nothing in the Privacy Shield agreement would seem to apply to U.S. citizens or organizations, except that they both have the common right to sue in U.S. courts. However, it's not clear they'd have the requisite information to carry out such actions. For instance, Microsoft currently has a lawsuit contesting 2,576 U.S. gag orders in which government agencies are seeking customer data or information without notifying the customer of the request. Microsoft also is actively pursuing an appeal contesting a U.S. government request for customer data stored in a Microsoft datacenter in Dublin, Ireland.